The Global Reach of the Right to be Forgotten Through The Lenses of The Court of Justice of the European Union

197sttrts ?
1. Introduction
The right to be forgotten is one of the most controversial rights in modern EU law. It
is a sort of response to an Internet that “never forgets”, and can be understood as society’s
capacity for forgiveness and empathy regarding past mistakes.
1
Being established in the case-
law of the Court of Justice of the European Union
2
, in particular in the case of Google Spain
SL and Google Inc. v  AEPD and Mario Costeja Gonzales (hereto – Google Spain)
3
, it was
reflected in article 17 (Right to erasure (‘right to be forgotten’)) of the General Data Protection
Regulation (hereinafter – “GDPR”)
4
, which states that “The data subject shall have the right
to obtain from the controller the erasure of personal data concerning him or her without
undue delay and the controller shall have the obligation to erase personal data without undue
delay”. It clarifies that the right to erasure applies when: “(a) the personal data is no longer
necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based (…); (c) the data
subject objects to the processing (…), (d) the personal data has been unlawfully processed”.
It is considered that “the right to be forgotten represents a positive shift in cyberspace law
and policy because it increases individuals’ control over personal information, and restores
the balance between free speech and privacy in the digital world”.
5
 However some scholars
tend to believe the appearance of this right is “the biggest threat to free speech on the Internet
in the coming decade”
6
. This is due to the fact that not all issues related to the right to be
forgotten were resolved after its codification in the GDPR, so there are several main issues
yet to be solved.
In the Google Spain case, the Court stressed that the right enshrined in article 17 of the
GDPR cannot be considered as unlimited: “as the de-referencing of search results might
negatively affect others, e.g.  internet users trying to obtain information on a  past event,
such requests have to be carefully weighed against the latter’s freedom of information”
7
. This
clearly indicates possible problems in balancing this right with other rights and interests in
the law-enforcement practice. Therefore, the CJEU in its judicial practice tries to consistently
form an acceptable balancing position and provide the most possible level of protection of the
right to data protection while respecting other rights and interests.
1
REYMOND, M. J.: The future of the European Union “Right to be Forgotten”. Latin American Law Review.
2019. Issue 2. pp. 81–98.
2
Hereinafter – the CJEU, the Court.
3
Case C-131/12 Google Inc. Spain SL and Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario
Costeja Gonzales ECLI:EU:C:2014:317 (hereinafter – the “Google Spain”).
4
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data and
repealing Directive 95/46/EC (General Data Protection Regulation). Available at: https://eur-lex.europa.eu/eli/
reg/2016/679/oj.
5
LYNDSAY, C.: The Right to Be Forgotten: A Step in the Right Direction for Cyberspace Law and Policy. Journal
of Law, Technology & the Internet. 2015, vol. 6, p. 122.
6
ROSEN, J.: The Right to be Forgotten. Stanford Law Review. February 13, 2012. Vol. 64. Available at: https://
review.law.stanford.edu/wp-content/uploads/sites/3/2012/02/64-SLRO-88.pdf.
7
GLOBOCNIK, J.: The Right to Be Forgotten is Taking Shape: CJEU Judgments in GC and Others (C-136/17)
and Google v CNIL (C-507/17) GRUR International. April 2020, vol. 69, issue 4, pp. 380–388. Available at:
https://academic.oup.com/grurint/article/69/4/380/5732807.

198flžMTh ? LUSINE VARDANYAN ? o Koh CY sttrts
Another issue as Advocate General Szpunar stated in his Opinion delivered on 10 January 2019
on the case of Google v. CNIL is the territoriality principle,
8
which is highly debatable. In turn,
M. Taylor even considers the global removal of information as an illustration of ineffective
jurisdictional excess.
9
Therefore, it is not surprising that the national Data Protection
Authorities (DPAs) and the courts have encountered serious difficulties in interpreting and
applying the right to be forgotten, which was the reason for a large number of preliminary
requests sent to the CJEU. Thus, in September 2019 the CJEU accepted the case of Google v.
CNIL
10
, the request for a preliminary ruling on which the above case is based was specifically
concerned with the geographical scope of the right to be forgotten. Many scholars interpreted
the judgment of the CNIL case as a territorial restriction on the right to be forgotten. In
particular, as M. Samonte believes: “By explicitly limiting the territorial scope of the right to be
forgotten, the Court may seem to have inadvertently limited the impact and protective effect
of this right.”
11
However, is it possible to consider such an interpretation as unambiguous?
We believe that it is not, taking into account the open possibility of interpreting the CNIL
case in a  different way – as creating conditions for a  global right to be forgotten, i.e. as
“a  floor, not a  ceiling”.
12
This trend has become even more clearly visible in the case of
Glawischnig-Piesczek v. Facebook Ireland Limited.
13

2. The right to be forgotten: The pre-CNIL situation and the main problems.
In 2014 in the Google Spain case, the CJEU established the “right to be forgotten”,
which gave a legal opportunity to ask the operator of any search engine to remove certain
links to information that infringes on the data subject’s rights and affects his/her privacy in
conditions when “(…) that information appears, having regard to all the circumstances of the
case, to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes
of the processing at issue carried out by the operator of the search engine (…)”.
14
It means
that after receiving a request from a data subject to remove links, the search engine operator
must determine whether this information is “inadequate, irrelevant or no longer relevant,
or excessive” or not, and in the case when the data subject’s request is denied by such search
engine operator, the data subject has the right to apply to the court for protection of his / her
personal data. Of course, it should be noted that the emergence of the phenomenon of the
right to be forgotten in the EU’s legal reality can clearly be considered as a step forward in the
8
Opinion Of Advocate General Szpunar delivered on 10 January 2019, Case C-507/17 Google LLC, successor in
law to Google Inc. v Commission nationale de l’informatique et des libertés (CNIL), para. 45. Available at: https://
eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62017CC0507.
9
TAYLOR, M.: Google Spain Revisited: The Misunderstood Implementation of a Landmark Decision and How
Public International Law Could Offer Guidance. European Data Protection Law Review. 2017. vol. 3, issue 2,
pp. 195–208.
10
Case C-507/17 Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des libertés
(CNIL), ECLI:EU:C:2019:772 (hereinafter – “Google LLC v CNIL”).
11
SAMONTE, M.: Google v CNIL Case C-507/17: The Territorial Scope of the Right to be Forgotten Under EU
Law. 2019. Available at: https://europeanlawblog.eu/2019/10/29/google-v-cnil-case-c-507-17-the-territorial-
scope-of-the-right-to-be-forgotten-under-eu-law/.
12
Ibid.
13
Case C-18/18 Eva Glawischnig-Piesczek v Facebook Ireland Limited, ECLI:EU:C:2019:821, para. 55. Hereinafter
– “Piesczek v. Facebook”.
14
Case C-131/12 Google Inc. Spain SL and Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario
Costeja Gonzales, ECLI:EU:C:2014:317 (hereinafter – the “Google Spain”), para. 94.

199ěsttrts fffl ffflffff flffffffflžffČČ?
question of ensuring the privacy protection of the data subject, giving him/her a carte blanche
to protect his/her privacy in conditions when “the Internet never forgets”.
15
As S. Alessi righty
argues: “Once information is uploaded, the Internet stores it permanently, in what has been
called “digital eternity.” Hence, when personal information is uploaded online, our most
embarrassing or painful moments may acquire lasting significance and haunt our lives. The
Internet is an integral part of our lives to collect information, manage finances, socialize, and
shop. Thus, it risks infringing upon individuals’ right to privacy”.
16
In turn, J. Rosen also
argues that: “(…) the right to be forgotten addresses an urgent problem in the digital age:
it is very hard to escape your past on the Internet now that every photo, status update, and
tweet lives forever in the cloud”.
17

However, despite the apparent progressiveness of the Google Spain judgment in the
field of the EU human rights protection, it nevertheless gave rise to many problems that
need to be solved and thus determined the trend of further development of the case law
of CJEU in the field of digital rights. In this context R. Weber rightly notes that: “a clearer
picture of the actual objective of a new fundamental right is necessary. The proclamation
of a  right to be forgotten as such does not suffice. It recalls the myth of Pandora’s box:
Impelled by her natural curiosity, Pandora opened the box and all the evils contained in it
escaped”.
18
In this context naturally arises the question about what are the main issues that
flow out of the Google Spain judgment? This question is correctly answered by O. Gstrein,
who notes that there are three questions that remained without response in the judgment of
the Google Spain case, in particular: 1) the lack of direct legal supervision and transparency
for the procedure of removal of personal information; 2) the content publisher’s right to
be heard and 3) the territorial scope of the application.
19
At the same time, when analysing
the issue of fundamental rights, the CJEU refers only to its own case law and ignores the
judgments of other jurisdictions. The CJEU did not accept the position of the Advocate
General (hereinafter – AG), who insisted on finding a  reasonable proportional balance
between the protection of personal data and the rights of the information community, as
well as the legitimate interests of Internet operators and Internet users in general.
20
The
Court ignored references to the European Convention on Human Rights and Fundamental
Freedoms (hereinafter – ECHR) and the case-law of the European Court of Human Rights
(hereinafter – ECtHR), which creates the risk that the same rules of law will be interpreted
differently by different jurisdictions. The Court emphasizes that individuals have the right
to request the removal of their personal data from search results, but does not mention, for
15
CROCKETT, M.: The Internet (Never) Forgets. 19 SMU Sci. & Tech. L. Rev. 151. 2016. Available at: https://
scholar.smu.edu/scitech/vol19/iss2/4.
16
ALESSI, S.: Eternal Sunshine: The Right to Be Forgotten in the European Union after the 2016 General Data
Protection Regulation. Emory International Law Review. 2017. Vol. 32. Available at: https://law.emory.edu/
eilr/_documents/volumes/32/1/alessi.pdf.
17
ROSEN, J.: The right to be forgotten. Stanford Law Review Online. 2012. Vol. 64:88. Available at: https://review.
law.stanford.edu/wp-content/uploads/sites/3/2012/02/64-SLRO-88.pdf.
18
WEBER, R.: The Right to Be Forgotten: More Than a Pandora’s Box? 2012. Available at: https://www.jipitec.
eu/issues/jipitec-2-2-2011/3084.
19
GSTREIN, O.: The Judgment That Will Be Forgotten: How the ECJ Missed an Opportunity in Google vs
CNIL (C-517/17). 2019. Vefassungsblog. Available at: https://verfassungsblog.de/(…)t-will-be-forgotten/.
20
See Opinion of Advocate General Jääskinen delivered on 25 June 2013, Case C‑131/12 Google Spain SL Google
Inc. v Agencia Española de Protección de Datos (AEPD) Mario Costeja González, ECLI:EU:C:2013:424, para. 31.
Available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62012CC0131.

200flžMTh ? LUSINE VARDANYAN ? o Koh CY sttrts
example, freedom of expression and information, and does not refer to Article 11 of the EU
Charter of Fundamental Rights (hereinafter – CFR). It means that the Court introducing
in its judgment the right to be forgotten as a  means of human privacy protection raises
concerns about its balancing with freedom of expression and information. In this context
some scholars have critically perceived the emergence of the phenomenon of the right to
be forgotten in the European legal reality, considering it as an “unforgettable fiasco, (…)
morphing into a nightmare for the web giant”
21
, “an emerging threat to media freedom in
the digital age”
22
, “that threatens to censor entire swathes of the web”
23
. As E. Lee notes: “The
EU right to be forgotten is a new privacy right (or a new application of privacy to Internet
search engines) that has sparked great controversy around the world. The major concern
among critics of the judgment is that it will lead to the censorship of information on the
Internet by making it difficult, if not impossible, to find relevant articles associated with
a person.”
24
The same position is held by E. Politou, A. Michota and others, claiming that:
“[right to be forgotten] caused prolonged controversies due to its pivotal impact on current
data processing procedures and its unavoidable conflicts with other rights such as the right to
free speech and the freedom of information, especially in the era of big data and the Internet
of Things (IoT)”.
25

As one can notice many of the complaints about freedom of expression and information
are about the balancing of the rights and where the line is to be drawn.
26
The Court also
speaks about the balance of private interests to protect their personal data and public interests
to search for information related to the name of the personal data subject, but does not give
any criteria for establishing such a balance, only noting that such a balance must be found in
each specific case and will depend on the situation. At the same time the issue of territorial
scope of Directive 95/46/EC
27
itself was also left open by the CJEU. For example, it is unclear
whether the “right to be forgotten” applies only within the EU? Whether it applies to search
engines running on the .com domain or other domains outside the EU as well?
The criticism of the judgment in the Google Spain case mainly boils down to two
competing aspects – the judgment infringes on media freedom and freedom of expression
21
WOHLSEN, M.: For Google, the ‘Right to Be Forgotten’ Is an Unforgettable Fiasco. 2014. Available at: https://
www.wired.com/2014/07/google-right-to-be-forgotten-censorship-is-an-unforgettable-fiasco/.
22
See OGHIA, M. J.: Information Not Found: The “Right to Be Forgotten” as an Emerging Threat to Media
Freedom in the Digital Age. CIMA Digital Report, January 9, 2018. Available at: https://www.cima.ned.org/
publication/right-to-be-forgotten-threat-press-freedom-digital-age/.
23
See SOLON, O.: EU ‘Right To Be Forgotten’ Ruling Paves Way for Censorship. 2014. Available at: http://www.
wired.co.uk/news/archive/2014-05/13/right-to-be-forgotten-blog.
24
LEE, E.: The Right to Be Forgotten v. Free Speech. I/S: A Journal Of Law And Policy For The Information Society,
2015. vol. 12:1. p.110. Available at: https://kb.osu.edu/bitstream/handle/1811/80043/ISJLP_V12N1_085.pdf.
25
POLITOU, E., MICHOTA, A. et. al.: Backups and the right to be forgotten in the GDPR: An uneasy relationship.
Computer Law & Security Review. 2018. vol. 34. issue 6. pp. 1247–1257. Available at: https://www.sciencedirect.
com/science/article/abs/pii/S0267364918301389.
26
GEORGIADES, E.: Down the Rabbit Hole: Applying a Right to Be Forgotten to Personal Images Uploaded
on Social Networks. Fordham Intellectual Property, Media and Enter, Media and Entertainment Journal. 2020.
Volume 30 XXX Number 4, p. 1134.
27
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ
L281/31 (hereinafter, the “Directive” or “DPD”).

201ěsttrts fffl ffflffff flffffffflžffČČ?
and information.
28
The desire to allow individuals to demand the deletion of data that they
no longer want to disclose to the public is understandable. However, according to many
experts, this right should not in any way violate or restrict the freedom of the press and allow
individuals to demand that legitimate and correct information in news archives be hidden
or deleted.
29
Otherwise, the Internet space will be filled with inactive links and dead-end
information (information cul-de-sacs) because of the judgment of the CJEU. By introducing
such new standards for the protection of personal data, the CJEU forces any Internet company
to follow the rules set out in this judgment, even if such a company de facto operates outside
the EU. Obviously, the Court’s judgment should raise questions about the extraterritorial
nature of both the right to be forgotten and the GDPR in general. The questions of the
interpretation of the Data Protection Directive 95/46/EC
30
(hereinafter – “DPD”) raised in
preliminary ruling were assessed in the light of the GDPR “in order to ensure that its answers
will in any event be of use to the referring court”.
31
 So, the Court dispelled doubts about the
possibility of transferring the conclusions of this case to the new legal regime, but it did not
resolve the issue of the territorial application of this legal instrument.
Thus, the CJEU, having made a judgment that does not have any evaluation criteria
or guidelines for national courts on how to implement it, has opened a  way for endless
judicial debate. Problems related to the implementation of this judgment of the CJEU by the
national courts of the EU member States have caused the Court to start receiving preliminary
requests. As Y. Padova states: “The ‘right to be forgotten’ (…) continues its judicial saga as
it is being examined by the very same Court that created it, following the submission of
11 preliminary questions by the French Conseil d’État before the Court of Justice of the
European Union (CJEU)”.
32
3. The CNIL case: general provisions
In 2015 the French Data Protection Authority (Commission nationale de l’informatique
et des libertés (hereinafter – CNIL)) notified Google of its obligation to remove links from
all versions of its search engine worldwide. The CNIL held the position that removing links
about an individual on the French version of Google is not enough to protect human rights.
To do  this, Google should exclude links from the list everywhere. The CNIL considered
it insufficient to exclude links from all extensions operating in the EU, as well as from all
search queries conducted in France, since Internet users located in France can still access
other versions outside the EU. Nevertheless, Google refused to remove face data from all
versions of its search engine and continued to restrict links only in versions of its search
engines with domain extensions within the EU. In March 2016, Google tried to compromise
with the CNIL and somehow to change the situation. It proposed the implementation of
28
See BERT-JAAPKOOPS.: Forgetting Footprints, Shunning Shadows: A  Critical Analysis of the “Right to
Be Forgotten” in Big Data Practice. SCRIPTED. 2011. vol. 8. issue 3. Available at: https://script-ed.org/wp-
content/uploads/2011/12/koops.pdf.
29
International New York Times, May 15, 2014. «Ordering Google to forget», p. 8.
30
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data. Available at:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046.
31
Case C-507/17 Google LLC v CNIL, para. 41.
32
PADOVA, Y.: Is the right to be forgotten a universal, regional, or ‘glocal’ right? International Data Privacy Law.
2019. Vol. 9, No. 1, p. 15.

202flžMTh ? LUSINE VARDANYAN ? o Koh CY sttrts
geo-blocking meaning that “internet users would be prevented from accessing the results at
issue from an IP (Internet Protocol) address deemed to be located in the State of residence of
a data subject (…), no matter which version of the search engine they used”.
33
As K. Walker
points out: “That means that if we detect you’re in France, and you search for someone who
had a link delisted under the right to be forgotten, you won’t see that link anywhere on
Google Search—regardless of which domain you use. Anyone outside the EU will continue
to see the link appear on non-European domains in response to the same search query”.
34

The CNIL found the suggested measure to be insufficient for the solution of the situation.
The Commission’s order rejected Google’s compromise position and mentioned that “only
delisting on all of the search engine’s extensions, regardless of the extension used or the
geographic origin of the person performing the search, can effectively uphold this right. The
solution that consists in varying the respect for human rights on the basis of the geographic
origin of those viewing the search results does not give people effective, full protection of
their right to be delisted.”
35
Google turned to the French Conseil d’État for the fine, which
was imposed by CNIL.
36
The latter observed that a user located in a Member State is able to
use the international version of the search engine instead of the one tailored for its specific
country, that common databases and a common indexing process connects the international
version with all the nation-specific versions of the search engine, and that cookies created by
a user while visiting a specific version of the search engine would be automatically shared
with all other versions of the search engine.
37
The Conseil d’État stated that all processing
of personal data done by the Google should be seen as a single combined process and that
therefore no distinction should apply between the nation-specific versions of the search
engine and the international one, for the matter of enforcing data protection rights.
38
Google
argued that the Court in the Google Spain case did not define the territorial scope of the right
to be forgotten.
39
The Conseil d’État referred questions to the CJEU for a preliminary ruling
on the scope of articles 12 (b) and 14 (a) of the DPD and asked the CJEU for guidance on
the territorial scope of de-referencing. Three options were identified: 1) de-referencing on all
language versions of the search engine; 2) EU-wide de-referencing; and 3) de-referencing of
links only in such a member State and from such a language version of the search engine for
which the removal request was submitted, which is mainly due to the geo-blocking of search
results in other language versions of the search engine.
4. Tackling the “regional” option of the right to be forgotten
In CNIL case the CJEU has been faced with the dilemma of choosing between recognizing
the global application of the right to be forgotten, which would ensure full protection of this
right, and between recognizing the non-universal application of the right to be forgotten,
thereby reducing the level of protection of this right, but taking into account the “digital
33
Ibid, p. 32.
34
WALKER, K.: A Principle That Should Not Be Forgotten. Google Blog. May 19, 2016. Available at: https://blog.
google/topics/google-europe/a-principle-that-shouldnot-be-forgotten/[https://perma.cc/8ZCH-JCG3.
35
Commission nationale de l’informatique et des libertés [CNIL] Google, Inc., No. 2016-054, Mar. 10, 2016, 3
(Fr.): 53.
36
Case C507/17 Google LLC v CNIL. para. 32–34.
37
Ibid, para. 36-38.
38
Ibid, para. 37.
39
Ibid, para. 38.

203ěsttrts fffl ffflffff flffffffflžffČČ?
sovereignty” of states.
40
At first glance, the Court chooses the latter. The Court pointed out
that many third States either do not acknowledge the right to be delisted or “have a different
approach” to it,
41
meaning that they might decide to settle the dispute with the right to
freedom of information in favour of the latter.
42
 But that it is by no means obvious from the
wording of the Directive and the GDPR that the EU legislature has decided to grant a scope
for the right in question that extends beyond the territory of the member States.
43
Next,
the Court highlighted the difficulties of global redirection, noting that the public interest
in access to information varies significantly depending on third States, so the balance of
fundamental rights will also differ. Article 17 (3) of the GDPR gives the power to the EU
and to authorities of Member States to balance between the mentioned conflicting interests,
but not for situations where an extra-territorial application is deemed as more desirable and
effective,
44
nor are national supervisory authorities within the EU equipped with proper codes
of conduct and mechanisms for the balance of conflicting interests in an extra-territorial
situation.
45
So the GDPR does not offer an obligation for a search engine to apply the right to
de-referencing on a global scale.
46
In accordance with its approach in the Google Spain case,
the CJEU concluded that under EU law there is no obligation to cancel the reference for all
language versions of the search engine.
47
The Court preferred a review of the law on an EU
scale.
48
Besides, the Court essentially expresses respect for the right of other states to strike
a different balance between the right to data protection and freedom of information. The
Court tried to provide the highest possible level of protection of the right to data protection,
while respecting the international comity
49
and legal diversity. Although even the best
intentions of the Court in the matter of international cooperation reduce to nothing when
one evaluates such a position from the point of view of the effectiveness of the protection of
the right itself. The fact is that it is not possible to fully and effectively enforce this right at
the local level because it would give Internet users who search information outside the EU
an opportunity to still have access to links that do not apply in the EU. The CJEU is also
40
For further details see: HAMUĽÁK, O., KISS, L.  N., GÁBRIŠ, T., KOCHARYAN, H.: “This Content is
not Available in your Country” A General Summary on Geo-Blocking in and Outside the European Union.
International and Comparative Law Review, 2021, vol. 21, no. 1, pp. 153–183.  https://doi.org/10.2478/iclr-
2021-0006.
41
Case C507/17 Google LLC v CNIL. para. 59.
42
Ibid, para. 60.
43
Ibid, para. 62. 
44
Ibid, para. 61–62.
45
Ibid, para. 63.
46
Ibid, para. 64–65.
47
Ibid, para. 64.
48
Ibid, para. 66.
49
A clear example of the application of the international comity principle in the field of personal data protection
may serve the Brief of the European Commission on behalf of the European Union as Amicus Curiae in support of
Neither Party in the case of United States of America v. Microsoft Corporation, where the European Commission,
stated that: “Any domestic law that creates cross-border obligations – whether enacted by the United States, the
European Union, or another state – should be applied and interpreted in a manner that is mindful of the restrictions
of international law and considerations of the international comity. The European Union’s foundational treaties
and case law enshrine the principles of “mutual regard in the spheres of jurisdiction” of sovereign states and
of the need to interpret and apply EU legislation in a manner that is consistent with international law” (See :
p. 7). Available at.: https://www.supremecourt.gov/DocketPDF/17/17-2/23655/20171213123137791_17-2%20
ac%20European%20Commission%20for%20filing.pdf.

204flžMTh ? LUSINE VARDANYAN ? o Koh CY sttrts
aware of this fact. It points out that the purpose of the EU data protection law is to guarantee
a high level of protection throughout the EU.
50
This means that the assertion of the legality
of only non-universal application of the right to be forgotten could interfere with the EU’s
goal of ensuring a high level of personal data protection. In its turn, Article 29 Working Party
(hereinafter – “WP29”) stated that “in order to give full effect to the data subject’s rights as
defined in the Court’s ruling, delisting decisions must be implemented in such a way that
they guarantee the effective and complete protection of the data subjects’ rights and that EU
law cannot be circumvented. In that sense, limiting delisting to EU domains on the grounds
that users tend to access search engines via their national domains cannot be considered
a sufficient means to satisfactorily guarantee the rights of the data subjects according to the
ruling”.
51
The WP29 added, that “in practice, this means that, in any case, de-listing should
also be effective on all relevant domains, including .com”.
52
The approach of the CJEU on the admissibility of the local application of the right to
be forgotten was recognized by some researchers as a victory for Google for global freedom
of expression.
53
Although the Court’s judgment itself, at first glance, considers the local
application of this right in conjunction with geo-blocking measures to be an acceptable
solution in this situation, it should be noted that this is a direct path to the fragmentation of the
Internet. J. Daskal highlights the risk of such fragmentation , he argues that: “(…) countries
with less liberal views about freedom of speech and expression can effectively create a fenced
version of the internet based on arbitrary parameters (…)”.
54
In addition, the commitment
to the “local” application of the right to be forgotten in the position of the CJEU is not so
clearly expressed. The existence of such an unambiguous position that would exclude the
global application of this right would mean the weakening of the protection of the right
under consideration by the Court itself. It seems to us that the CJEU does not consolidate
such an unambiguous position today and is unlikely to adopt such a consolidation in favour
of the “local” application of the right to oblivion in the near future.
5. Or maybe a “universal” application of the right to be forgotten after all?
It is noteworthy that a categorical prohibition of the possibility of the global application
of the right to be forgotten in the judgments is unlikely to be found. On the contrary, in
the detailed analysis of the Court’s considerations in the CNIL case one can see indirect
recognition of the possibility of the global application of the law in question. As one can
see the Court made clear that while the EU law does not currently require worldwide de-
referencing, “it also does not prohibit such a practice”
55
. The CJEU stated that while nothing
in EU law can be interpreted as imposing a global enforcement of the right to de-referencing,
50
Recitals 10, 11 and 13 of the GDPR.
51
WP29 Guidelines on the Implementation of the CJEU Judgment on ‘Google Spain and Inc v. Agencia Espanola
de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez’ C-131/12, adopted on 26 November 2014, p. 3.
52
Ibid.
53
COWBURN, P.: Google win in right to be forgotten case is victory for global freedom of expression.
September 24, 2019. Available at: https://www.article19.org/resources/google-win-in-right-to-be-forgotten-
case-is-victory-for-global-freedom-of-expression/.
54
DASKAL, J.: Internet Censorship Could Happen More Than One Way. The Atlantic. 25 September 2019.
Available at: https://flipboard.com/@TheAtlantic/internet-censorship-could-happen-more-than-one-way/
f-260e7e11b8%2Ftheatlantic.com.
55
Case C507/17 Google LLC v CNIL. p. 72.

205ěsttrts fffl ffflffff flffffffflžffČČ?
national authorities are not prevented from demanding such an extensive implementation
on a case-by-case basis, should this not be seen as a clear threat to the right to freedom of
information of the global population.
56
It is not known whether unintentionally, through
the vague wording of the provision or completely intentionally, whether the CJEU thereby
provides an opportunity for global protection (…) of the right to information of the global
population. This in itself shows that the Court is not at all categorical about the possibility
of protecting individual rights on a global scale. As M. Zalnieriute points out: “By leaving
the door to extraterritorial de-referencing wide open, the CJEU continues to pursue its post-
Snowden hard-line stance on data privacy in a manner that is likely to transform the data
privacy landscape”.
57
Even a careful analysis of the GDPR shows that the legal act does not contain a provision
that would directly limit its scope. Moreover, article 3(2)(b) of the GDPR states that the
GDPR applies to monitoring user behaviour occurring in the EU, even if the controller is
not registered in the EU. Considering the territorial applicability of the GDPR, the CJEU in
the CNIL case does not change the broad interpretation of article 3(1) of the GDPR, given
in the Google Spain case, where it was extended to the processing of personal data of data
subjects located in the EU by a controller not registered in the EU, if the processing actions
were related to the offer of goods or services. Therefore, the position of the CJEU that the
EU legislature does not grant the rights enshrined in the GDPR outside the territory of EU
member States is questionable.
58 
The Court first noted that in a globalized world, even access to information specified in
search results by an Internet user located outside the EU can have immediate and significant
consequences for the victim in the EU.
59
 The CJEU stressed that the Conseil d’État considers
Google as a single entity when it comes to the processing of data connected to natural persons
such as French/EU citizens.
60
It also acknowledged the validity of the argument that a global
application of the right to be delisted would certainly meet the declared aim of the GDPR –
“to guarantee a high level of protection of personal data” within a global online environment
that facilitates the flow of information across national boundaries to a degree never witnessed
before’’.
61
In this way, the Court gives legitimacy to global de-referencing. As P. Dixit states:
“The judgment in favour of Google, allowing dereferencing only around the EU and not
globally is criticized, however the judgement when read intrinsically allows the Member
States to weigh between the right to be forgotten and the right to freedom of information and
if in the interest of the national public good, there be a reason to demand for dereferencing
globally, such an order can be made. This proves that there is no complete bar and limitation
to the right to be forgotten in the EU”.
62
56
Ibid, para. 72.
57
ZALNIERIUTE, M.: Google LLC v. Commission nationale de l’informatique et des libertés (CNIL), American
Journal of International Law. April 2020. Volume 114. Issue 2. pp. 261–267. Avaliable at: https://www.
cambridge.org/core/journals/american-journal-of-international-law/article/google-llc-v-commission-nationale-
de-linformatique-et-des-libertes-cnil/AF7235FDDA7059C2418166C4612597CD.
58
Case C507/17 Google LLC v CNIL., para. 62. 
59
Ibid, para. 57.
60
Ibid, para. 52.
61
Ibid, para. 54–58.
62
DIXIT P.: Will The Internet Remember You Forever? Right To Be Forgotten And Its Territorial Limits. 2019. Available
at: https://www.iiprd.com/will-the-internet-remember-you-forever-right-to-be-forgotten-and-its-territorial-limits/.

206flžMTh ? LUSINE VARDANYAN ? o Koh CY sttrts
Besides, the Court subordinates the processing of data by Google on all its domains to
the GDPR jurisdiction, ruling that Google should be considered as performing a single act of
processing personal data.
63
 Despite the Court’s considerations that EU law does not provide
for an obligation to implement the revocation of reference on a  global scale, the Court
nevertheless points out that the EU legislature has the competence to establish an obligation
if it chooses to do so.
64
Such a view is probably based on the possibility of extending EU law
outside the EU when extraterritorial application of the EU law may be warranted by the
necessity of properly defending the Union’s values.
65
The Court also noted that while EU law does not require the abolition of reference
on a global scale, it also does not prohibit such practices. Therefore the CJEU itself in its
subsequent case law gave a positive answer to the question whether an order to a host provider
to delete unlawful content pursuant to article 15(1) of the Directive 2000/31/EC
66
may have
a worldwide effect.
67
In the Google v. CNIL case, the Court is of the opinion that a national
supervisory or judicial authority may, after balancing the rights and interests of the subjects
involved in the light of national standards for the protection of fundamental rights, order the
search engine operator to remove the link to all versions of the search engine.
68
The CNIL, in
a press release issued after the Court’s judgment in the case under consideration, highlighted
this competence, but recognized that it was only competent to order worldwide renaming
“in some cases”.
69
The Court leaves space for the possibility of a global application of the right to be forgotten,
as defined by national Data Protection Authorities (hereinafter – “DPA”) or national courts of
the EU member states. In doing so, it provided national DPA and national courts with some
space for manoeuvre so that they could respond to the circumstances of a particular case.
However, deviation from the EU-wide dereferencing standard is only possible in exceptional
cases. But the most visible drawback of the judgment is that the Court does not give any
indication in which exceptional cases a deviation from the local application of the right to
be forgotten is possible. Nor does it provide the criteria by which national DPA or national
courts should be guided in determining or evaluating these cases or their circumstances. The
Court’s above-mentioned assertions point to its continued efforts to preserve the possibility
for Member States to apply the right to be forgotten globally by allowing the adoption of
national laws that provide the basis for effective regulation of privacy and data protection.
70

63
Ibid, p. 37.
64
Ibid, p. 58.
65
Art. 2 and 3(1) of the Consolidated versions of the Treaty on European Union and the Treaty on the
Functioning of the European Union 2012/C 326/01. Available at: https://eur-lex.europa.eu/legal-content/EN/
TXT/?uri=celex%3A12012M%2FTXT.
66
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of
information society services, in particular electronic commerce, in the Internal Market (Directive on electronic
commerce) OJ L 178, 17.7.2000, p. 1–16.
67
Case C507/17 Google LLC v CNIL, p. 49–53.
68
Ibid., para. 72.
69
CNIL, ‘“Right to be forgotten”: the CJEU ruled on the issue’ (Commission Nationale de l’Informatique et des
Libertés, 24 September 2019).
70
To the limits of national measures interfering with privacy see also: VARDANYAN, L., STEHLÍK, V.: Is the
Case Law of ECtHR Ready to Prevent the Expansion of Mass Surveillance in the Post-Covid Europe? European
Studies – the Review of European Law, Economics and Politics, 2020, vol. 7, pp. 253–272.

207ěsttrts fffl ffflffff flffffffflžffČČ?
It should be noted that the issue of universal application of EU data protection legislation
was also considered in the case Eva Glawischnig-Piesczek v Facebook Ireland Limited (Case
C-18/18).
71
The cases of Piesczek v. Facebook and Google v. CNIL considered various EU
legislative acts, but both concerned precisely the territorial scope of injunctions against
internet intermediates.
72
In Piesczek v. Facebook, the CJEU made some changes in its approach
compared to Google v. CNIL. In accordance with the circumstances of the Piesczek v. Facebook
case, a Facebook user published an article about the social security of refugees and included
several slanderous comments about Eva Glawischnig-Piesczek, a  member of the Austrian
Green Party. According to the judgment of the Austrian courts, Facebook has disabled access
to the content in Austria. The Austrian Supreme Court asked the CJEU to consider whether
Article 15 of the E-Commerce Directive allowed the injunction to be extended globally as
well as to other identical statements and those with an equivalent meaning.
The AG recommended the CJEU adhere to the position that the court injunction should
apply worldwide however even if such an injunction should cover identical statements by
any Internet user, that it should only apply to equivalent statements by the user who is the
author of the unique illegal content.
73
As in the case of Google v. CNIL, the importance of
a balance between fundamental rights was again emphasized, for which the AG proposed
criteria for the monitoring of ‘equivalent’ information: it should be “clear, precise and
foreseeable”
74
. The recommended criteria were not reflected in the CJEU judgment itself.
The CJEU allows monitoring for both identical and equivalent information across all users
of an online platform, but it does not point out any qualification for equivalent information.
The CJEU’s judgment does not mention, that the right to personal data protection should be
balanced with other fundamental rights. In the judgment of Piesczek v Facebook the CJEU
only indicated that the monitoring of such information shall be restricted to “information
conveying a message the content of which remains essentially unchanged compared with
[unlawful content]”.
75
But this wording added ambiguity to the question and raised the
question on what information should be subject to monitoring, since it is impossible to
clearly specify what “essentially unchanged” means.
As opposed to Google v. CNIL concerning the territorial scope of injunctions the CJEU
held that Member States could issue them against intermediaries with worldwide effect
“within the confines of public international law”.
76
To substantiate its conclusions regarding
the admissibility of global injunctions in the Piesczek v. Facebook case, the CJEU relied
primarily on article 18(1) and recital 52 of the E-Commerce Directive (ECD). According
to recital 52 of the E-Commerce Directive, Member States must ensure that “appropriate
court actions” are available to guarantee victims effective access to damage which may arise in
connection with “information society services”, which “is characterised both by its rapidity
71
Hereinafter – Piesczek v Facebook.
72
See also MAZÚR, J., PATAKYOVÁ, M.  T.: Regulatory Approaches to Facebook and Other Social Media
Platforms: Towards Platforms Design Accountability. Masaryk University Journal of Law and Technology, 2019,
vol. 13, no. 2, pp. 219–241.
73
Opinion of Advocate General Szpunar delivered on 4 June 2019. Case  C-18/18 Eva Glawischnig-Piesczek
v Facebook Ireland Limited, para. 109.
74
Ibid, para. 71.
75
Ibid.
76
Ibid, para. 53.

208flžMTh ? LUSINE VARDANYAN ? o Koh CY sttrts
and its geographical extent”.
77
Article 18(1) of the E-Commerce Directive provides for the
availability of court actions under national law against information society services, allowing
for “the rapid adoption of measures … designed to terminate any alleged infringement
and prevent any further impairment of the interests involved”. The CJEU noted that in
implementing article 18(1) of the E-Commerce Directive, Member States have a “particularly
broad discretion in relation to the actions and procedures” for such measures.
78
Further, the
CJEU held that given that the means and measures provided for in article 18(1) of the
E-Commerce Directive were directly oriented to cease any alleged violation and to prevent
any future deterioration of the conditions of the interested parties involved, no restrictions
should be allowed on the scope of application of such means and measures. The CJEU also
found that because the E-Commerce Directive did not limit the scope, territorial or otherwise,
of the measures which a Member State could adopt under Article 18(1) or otherwise, the
ECD does not prevent Member States from issuing injunctions with worldwide effect.
79
In the Google v. CNIL case the CJEU noted that neither the provisions of the DPD nor
the provisions of the GDPR imply that in order to ensure a high level of data protection
throughout the EU, these provisions must apply outside the EU. Although in the Piesczek v.
Facebook case the CJEU found that a Member State court could issue orders that not only
extend across the EU but also globally. As one can see the CJEU (almost simultaneously)
demonstrated different approaches to the two EU tools, which are similar in that both require
intermediaries to block or filter content available to end users. However there is no obvious
discrepancy between the approaches reflected in the cases of Google v. CNIL and Piesczek
v. Facebook: the CJEU in Google v CNIL did not rule out a global de-referencing order
and accepted that it would be possible.
80
The CJEU analysed the issue of establishing “any
limitation, including a territorial limitation, on the scope of the measures which Member
States are entitled to adopt” in relation to information society services.
81
The Court stated
that EU law does not exclude that these measures will lead to global limitations.
82
The CJEU
point out that “in view of the global dimension of electronic commerce, the EU legislature
considered it necessary to ensure that EU rules in that area are consistent with the rules
applicable at international level”.
83
The Court also mentioned that “it is up to Member States
to ensure that the measures which they adopt and which produce effects worldwide take
due account of those rules.”
84
So CJEU gives an opportunity to national courts to establish
obligations to remove information covered by the injunction or to block access to that
information worldwide.
85
And this is a continuation of the trend laid down in the CNIL
case, rather than shift in the Court’s approach regarding the territorial scope of the right to
be forgotten. In this framework the right to be forgotten, which develops almost exclusively
as a result of the law-making of the CJEU in conditions when “digital imperialism” becomes
the goal of many developed countries, becomes a kind of tool for asserting its digital power
77
Ibid, para. 52.
78
Case C-18/18 Glawischnig-Piesczek, para. 28–29.
79
Ibid., para. 49–50.
80
Case C507/17 Google LLC v CNIL. para. 72.
81
Case C-18/18 Glawischnig-Piesczek, para. 49.
82
Ibid., para. 50.
83
Ibid., para. 51.
84
Ibid., para. 52.
85
Ibid., para. 53.

209ěsttrts fffl ffflffff flffffffflžffČČ?
for the EU far beyond its borders. Of course, one can considers it as an advantage, but we
tend to believe that this is a disadvantage if we take into account that the CJEU’s judgments,
which are “aimed” at extending their rules to the global digital order, nevertheless do not have
“coercive force”. This means that making judgments that are not destined to become a reality
can significantly reduce the credibility of the CJEU itself.
6. The need to find a balance between global and local approaches
to the right to be forgotten
Life in today’s global digital society does not recognize national borders, primarily because
of the “extra-territorial” nature of information and the Internet itself, and the legal regulation
of this sphere must unavoidably take this fact into account. Otherwise, the application of
this right exclusively on the territory of the EU will not make any sense. In paragraph 72 of
the CNIL case, the CJEU itself acknowledged that the Union-wide exclusion of search results
may not be sufficient to protect privacy rights in some cases. And this consideration implies
the need to extend the EU right to data protection beyond the EU as well. This could be an
ideal opportunity for the EU to justify extending its law outside the EU. As pointed out by
Ch. Kuner: “the globalised environment of the internet, shaped by a combination of hard
law from multiple jurisdictions and private soft law, is the ideal benchmark for the ambitions
of EU law”.
86
But the CJEU, while supporting the possibility of a global application of the
right to be forgotten, does not offer anything new. Even before the ruling on the Google
Spain case some jurisdictions, for example such as Russia, Mexico, Brazil and so on, have
started granting the application of the similar right. Therefore, this can be considered quite
an expected approach; we can say support for the global trend. If only the local application of
the right to be forgotten is recognized by the CJEU it means the ignoring of this fact.
Nevertheless, the extraterritorial application of the EU Data Protection law poses
a number of problems. The adoption of national data protection standards outside the
boundaries of EU jurisdiction may conflict with the obligations of the international comity
and the need to respect the diversity of existed legal systems. In fact, the balance between the
right to be forgotten, freedom of information, and freedom of speech is established differently
in jurisdictions, even if States recognize faith in democracy, the rule of law, and human
rights. Moreover, the application of data protection standards outside the borders of the EU’s
jurisdiction may eventually be negated by the opposite requirements that are established in
other jurisdictions.
87
That is why some scholars recommend to the EU lawmakers that they
not extend the scope of this right beyond the EU.
88
Another constraint on the global application of the right to be forgotten in particular
and the EU data protection law as a whole may be the principle of international comity,
86
KUNER, CH.: The Internet and the Global Reach of EU Law. University of Cambridge Faculty of Law Research
Paper No. 24/2017. SSRN Electronic Journal. April 2017.
87
See FABBRINI F., CELESTE E.: The Right to Be Forgotten in the Digital Age: The Challenges of Data
Protection Beyond Borders. German Law Journal. 2020. Volume 21, Issue S1, p. 55–65. Available at: https://
www.cambridge.org/core/journals/german-law-journal/article/right-to-be-forgotten-in-the-digital-age-the-
challenges-of-data-protection-beyond-borders/3E3E182352F1AD555CBB788E2380E23F.
88
PIRKOVA E., MASSÉ E.: EU Court decides on two major “right to be forgotten” cases: there are no winners
here.
23 October 2019. Available at: https://www.accessnow.org/eu-court-decides-on-two-major-right-to-be-
forgotten-cases-there-are-no-winners-here/.

210flžMTh ? LUSINE VARDANYAN ? o Koh CY sttrts
which is understood as a mutual recognition of the validity of foreign law out of good
will. According to this principle, EU courts should not generally impose European legal
norms on jurisdictions outside the EU.
89
In the Glawischnig-Piesczek case the Court stressed
the importance of consistency between EU law and international rules, without naming
the principle of international comity.
90
The CJEU made it possible for Austrian courts to
impose obligations “to remove information covered by the injunction or to block access
to that information worldwide within the framework of the relevant international law.”
91

However, Advocate General Szpunar in the Google v. CNIL case pointed specifically to the
principle of international comity as incompatible with the global application of the right to
be forgotten.
92
And the ensuring global compliance with Article 17 GDPR must take this
principle of international comity into account. Of course, this is somewhat difficult, given
that the “imposition” of their own standards for the protection of digital rights is inherent not
only in the EU, but also in other states that are trying to extend the rules of their jurisdiction
to information and data.
We believe that the CJEU is not faced with the dilemma of choosing between the local
and global application of the right to be forgotten, but rather with the question of developing
criteria that can pragmatically solve the problems of modulating the impact of the EU data
protection law outside EU borders. However, the choice (or rather the need) for the global
application of this right will undoubtedly be constantly “hanging” over the CJEU: criticism
of the “imposition” of its data protection standards on other States that have their own
claims to control data, contrary to the obligations of the international comity and the need
to respect the diversity of legal systems. And this is one of the many challenges of the global
application of data protection standards. And it is possible (and in fact it is already clear) that,
in view of the increasing tension between these opposite trends, the efforts of the CJEU will
not be aimed at choosing one of the options for applying the right to be forgotten, but rather
at finding the most acceptable balance between them. This can already be seen in the EU case
law, in particular in the case of Glawischnig-Piesczek.
The protection of the digital rights exposes a tension between efforts of states to impose
their own standards outside their borders and aspirations to claim sovereign control over
data and information. This tension exposes the risk of a fragmentation of the digital world.
Although it is obvious that such a tension in the framework of these opposite tendencies, as
a rule, is mostly growing. And as the Court’s case law shows, it tries to offer judgments that will
vary between these two extremes, as in Google v. CNIL and Glawischnig-Piesczek v. Facebook.
The CNIL case defines the local application of law and allows for further recognition of the
global application of EU law and the right to be forgotten in particular. But if in the CNIL
case the Court limited itself only to stating that in certain cases such a global application is
permissible, then in the Glawischnig-Piesczek case the Court suggested such an application as
the main solution to the questions raised in the preliminary request.
89
MCCARTHY, H.: Expanding the GDPR’s journalism exemption – is all the world a stage? Privacy and Data
Protection. 2019. (4), 10. p. 10.
90
Ibid., p. 51.
91
Ibid., p. 53.
92
Opinion of AG Szpunar. Case C507/17 Google LLC v CNIL, para. 27.